Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole Customer Credit Cards in Newegg Data Breach (techcrunch.com)

Posted by msmash on from the security-woes dept.

Newegg is clearing up its website after a month-long data breach. TechCrunch: Hackers injected 15 lines of card skimming code on the online retailer's payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers -- though it's unclear if mobile customers are affected.

The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.

87 of 149 comments (clear)

  1. guess they have egg on their faces by Anonymous Coward · · Score: 2, Funny

    lol

  2. Only a month? by omnichad · · Score: 1

    The last step of checkout has been glitchy for over a year. Though I have been using a card on file and only had to enter my CVV code multiple times or gave up and used PayPal.

    1. Re:Only a month? by jellomizer · · Score: 1

      The reason why he got away with it, was his hacked fixed the process while he was at it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Only a month? by Anubis+IV · · Score: 1

      It's sounding like NoScript, uMatrix, uBlock Origin with third-parties disabled, etc. may have prevented this attack for users. From what I've gathered, the attack revolved around inserting malicious code into a first-party script so that the page would transmit user information to servers under the attacker's control as the user entered it. Since the malicious code was running client-side and was phoning home to a third-party server, I believe those extensions should have been capable of preventing the malicious code from phoning home.

      I'm certainly hoping that's the case, given that I was running one of those extensions, had it configured to block third-parties by default, and bought items from Newegg during that time period...

    3. Re:Only a month? by omnichad · · Score: 1

      Nothing worse than broken validation that doesn't expect you to copy/paste, insert in the middle of existing text, or hit backspace (or tab).

    4. Re:Only a month? by rahvin112 · · Score: 1

      You still shop at newegg?

      I use the place to lookup stuff because Amazons categorization/features in computers is garbage but I don't buy anything there, they are never ever cheaper than Amazon anymore. I don't think I've bought anything from them since 2010.

    5. Re:Only a month? by omnichad · · Score: 1

      Mostly Samsung EVO 850/860 sales. Amazon isn't always cheaper, though. They have consistent low prices, but the only "sales" they have is sometimes silently matching other people's sale prices.

    6. Re:Only a month? by PoopMonkey · · Score: 1

      I can occasionally find things cheaper on NewEgg. HGST drives tend to always be cheaper on NewEgg, plus I don't have to pay sales tax through NewEgg.

  3. PKI Failing Again by TechyImmigrant · · Score: 1

    It had one job to do.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:PKI Failing Again by jellomizer · · Score: 1

      I never saw the need for all the checking to make sure your keys are from a valid Certificating agency?
      Just as long as you pay you get the Cert. They are not doing what they really suppose to be doing validating your identity, and validity of the request. So if you buy a cert for newagg.com they should stop and realize that it is close to a popular newegg.com and should dig further to insure what they are doing is what they say they are and it legit.
      If you are paying hundreds of bucks then they should do more then run a simple script to give you a key.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. My current rating for NewEgg is... by nwaack · · Score: 2

    ...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.

    1. Re:My current rating for NewEgg is... by EvilSS · · Score: 2

      Newegg hasn't been the same since they got bought out a couple years ago. Shame really.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:My current rating for NewEgg is... by Anonymous Coward · · Score: 4, Informative

      Was that when they stopped being price competitive with freaking brick and mortar mom and pop stores? Or when they started cleverly listing junk from seedy third parties?

      NewEgg turned to shit long ago, and has been sliding further ever since.

    3. Re:My current rating for NewEgg is... by nitehawk214 · · Score: 1

      Between selling random non-electronics related junk and 3rd party sellers; it has become just another Amazon wannabe.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    4. Re:My current rating for NewEgg is... by jwhyche · · Score: 3

      Now they are trying to be like Amazon and sell anything and every thing. Newegg used to be my 'go to' place for computer parts, but now I do more shopping around. I liked it better when newegg was computer part store. But the recommendation AI was a source of entertainment when they changed. "Hey we see you just bought 4, 3TB HD for a nas, wouldn't you like to buy this chain saw to go with it?"

      Back on topic. This kind of explains the porn ransomware email I got a few weeks back. I changed my phone number to my new number on newegg and less than 24 hours later I got a scam email saying they had video's of me watching porn on my phone. And unless i coughed up a bucket of shekels they were going to sent it to everyone on my contact list. Newegg was the only place that had my email address and new phone number. The new phone number was listed in the email.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    5. Re:My current rating for NewEgg is... by stevenvi · · Score: 1

      I remember Egghead Software, and always wondered if they were related to NewEgg -- though didn't wonder enough to check the Wikipedia page or anything. :-p

    6. Re:My current rating for NewEgg is... by kackle · · Score: 1

      Yes; I bought a C compiler there - Watcom's (now free), after I read it was used to create Doom and I wanted to learn more about C. This was in the late 1990s, and I think I paid ~ $100. This was back when you could buy the Netscape web browser in a box off the shelf at Best Buy for $40ish!

    7. Re:My current rating for NewEgg is... by Hylandr · · Score: 1

      I bought my first SoundBlaster card there. :)

      So much a different time back then.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    8. Re:My current rating for NewEgg is... by 93+Escort+Wagon · · Score: 1

      Does anyone remember when they were EggHead Software and were a brick and mortar company?

      IIRC the very first time my credit card number ever got stolen was when somebody broke into EggHead's systems. I believe that was the 2000 data breach which is mentioned in the Wikipedia article on the company.

      However you're incorrect in tying the two companies together. From Wikipedia's NewEgg article:

      The company has no relation to the Egghead Software chain that was active from 1984 to 2001 .

      --
      #DeleteChrome
    9. Re:My current rating for NewEgg is... by tlhIngan · · Score: 1

      Does anyone remember when they were EggHead Software and were a brick and mortar company?

      No, there is no relation between NewEgg (2000-present) and Egghead Software (1984-2001).

      Two separate companies and fromw hat I can tell, Egghead died out in the late 80s or mid-90s or so. Lots of memories of visiting them though to get new stuff.

      Stuff in baggies was always fun!

    10. Re:My current rating for NewEgg is... by Hylandr · · Score: 1

      Curious.

      I had always associated the two since one shriveled up about the time the other started.

      My bad. Thanks for pointing that out.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    11. Re:My current rating for NewEgg is... by hawk · · Score: 1

      There is no *corporate* relationship.

      The folks who built and sold Egghead later created NewEgg (and i guess that that's been sold, too, now)

      hawk

    12. Re:My current rating for NewEgg is... by jwhyche · · Score: 2

      They said it was good porn, that "i have really good tastes." I would like to know what I was watching too. I let everyone on my contact list let me know when the black mail video shows up. So far it has been 2 weeks. Still waiting.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    13. Re:My current rating for NewEgg is... by cwsumner · · Score: 1

      My guess is Amazon inserted the skimming code.

      Intersting theory...
      I would mot be much surprised to find that true.

    14. Re:My current rating for NewEgg is... by ncc74656 · · Score: 1

      This kind of explains the porn ransomware email I got a few weeks back. I changed my phone number to my new number on newegg and less than 24 hours later I got a scam email saying they had video's of me watching porn on my phone. And unless i coughed up a bucket of shekels they were going to sent it to everyone on my contact list.

      I received one of those, and another one that said they had records of me browsing some pr0n site...never mind that I don't visit websites for pr0n. At least it was a solid indication that they're basically bullshit artists looking to con the gullible. After all, if they're going to lie about your browsing habits, what are the odds they'll be any more truthful about their claims to have pwned your phone?

      A couple months back, some other scammers threatened to DDoS my website if I didn't fork over some ever-increasing amount of Bitcoin. I suspected it was an idle threat. I notified my VPS provider on the off-chance that it wasn't, but the deadline came and went with not so much as an upward blip in traffic.

      --
      20 January 2017: the End of an Error.
    15. Re:My current rating for NewEgg is... by stevenvi · · Score: 1

      Actually, now that I actually did look at the Wikipedia articles, it seems there is no relation between the two.

      The company has no relation to the Egghead Software chain that was active from 1984 to 2001.

      The reference for this claim is a dead link, however.

    16. Re:My current rating for NewEgg is... by Chissblue · · Score: 1

      Oh yeah. It's where I purchased 'Internet In a Box' kit for my 386 pre-pentium pc.

    17. Re:My current rating for NewEgg is... by lsatenstein · · Score: 1

      ...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.

      Time to apply for a replacement card with new CCD or whatever.

      --
      Leslie Satenstein Montreal Quebec Canada
  5. Re:Use PayPal or similar. by GameboyRMH · · Score: 1

    Came here to see if Paypal payments would be affected, I ordered stuff from them just a couple weeks ago using Paypal as the payment method (to work around Newegg's billing address restrictions).

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  6. Using stored credentials would've been safer... by mi · · Score: 1

    The usual advice is to not let the merchant store your credit card credentials — so they would not be stolen when the company's DB is.

    This time, however, the people keeping their cards "on file" with Newegg were safe, whereas those, who entered the credentials anew, weren't...

    --
    In Soviet Washington the swamp drains you.
  7. Certificate? by AlanObject · · Score: 1

    So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.

    Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?

    1. Re:Certificate? by cascadingstylesheet · · Score: 1

      So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.

      Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?

      They got a certificate for a "similar" domain.

      The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection.

      Could have used Let's Encrypt.

    2. Re:Certificate? by jellomizer · · Score: 1

      That would be expensive. Why pay someone to make a phone call where you can have a script that will generate the Cert after the payment get processed. Nearly all profit.
      Besides the customer isn't the one getting screwed by getting a Cert. It is just someone else who isn't a customer who will get affected.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Certificate? by QuietLagoon · · Score: 1

      ...Could have used Let's Encrypt....

      They could have used any of the cert providers that use the "do you own the domain" email verification. That includes most of the cert vendors for the low-security certs (including Comodo when I had used them).

  8. Thank you HTTPS zealots by Lije+Baley · · Score: 2, Funny

    I sleep better knowing that HTTPS has made us all safe from teh hax0rs.

    --
    Strange things are afoot at the Circle-K.
    1. Re:Thank you HTTPS zealots by willaien · · Score: 2

      HTTPS did its job. There was no interception of data between the server and the client. Can't do shit if the server is compromised.

    2. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1, Insightful

      Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.

      --
      Strange things are afoot at the Circle-K.
    3. Re:Thank you HTTPS zealots by willaien · · Score: 1

      I mean, it kinda did serve that purpose as well. The lock in the page did correctly state that:
      1) The page you've been served is indeed from newegg.com, and
      2) No data transmitted to or from you will be visible to any man in the middle.

      No amount of transportation security can stop a compromised server from serving incorrect content or siphoning off data itself.

    4. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      Car analogy time: A friend of mine decides to drive into a bad neighborhood to go to a certain store, so I give him an HTTPS charm to hang from his rear view mirror. I promise that it will protect him while he's driving to the store. So he drives safely there, parks nearby, and gets mugged going into the store. The charm did its job of preventing the (less likely) loss of his wallet while driving, but nothing to prevent the (far more likely) theft once he has arrived.

      --
      Strange things are afoot at the Circle-K.
    5. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      What does HTTPS mean then? That it is potentially legitimate? So I guess a half-full glass really is better than a half-empty one...

      --
      Strange things are afoot at the Circle-K.
    6. Re:Thank you HTTPS zealots by QuietLagoon · · Score: 2

      I sleep better knowing that HTTPS has made us all safe from teh hax0rs.

      If that is what you think the purpose of https is, then you really should not be sleeping better, you should be learning more about https.

    7. Re:Thank you HTTPS zealots by Anonymous Coward · · Score: 1

      Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.

      Classic absurd argument that if something doesn't stop everything, including things it has no role in, it shouldn't be used. There's no reason NOT to use https but it's not some magic bullet that keeps everything, everywhere safe.

    8. Re:Thank you HTTPS zealots by willaien · · Score: 1

      Except in your analogy, you ignore that the point of https is to prevent _man in the middle attacks_, like say, you connecting to wifi at a starbucks with a compromised router (or think you're connecting to starbucks wifi, but you're really connected to Jim Bob's router). It also hides your traffic from your ISP, which prevents them from snooping your traffic to inject ads (real issue with some ISPs) or sell your clickstream data (they can only sell what ips you connected to).

    9. Re:Thank you HTTPS zealots by willaien · · Score: 1

      HTTPS just means that the server you've connected to is probably the real server associated with that domain name, and that an actor without the private key of the server you're connecting to cannot read what's being sent either way, nor tamper with it.

    10. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      Classic reading comprehension failure. I am making no such argument.

      --
      Strange things are afoot at the Circle-K.
    11. Re:Thank you HTTPS zealots by slack_justyb · · Score: 1

      not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google

      That's not even the thought process from Google. Here is the proposal from way back when. Relevant section:

      We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin. Roughly speaking, there are three basic transport layer security states for web origins: Secure (valid HTTPS, other origins like (*, localhost, *)); Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and Non-secure (broken HTTPS, HTTP).

      Emphasis mine. And if you are wondering about the wording there, the exact definition can be found on the W3 site here. Which says if you trust the site then you can be assured that the information you transmit to the site has done so securely, that you can trust that they received the information that you sent them.

      At no point can any standards body or web vendor indicate how compromised or fully functioning the host you are sending your data to is. At no point has any web browser maker (Apple, Google, Microsoft, Mozilla, et al) indicated that "Secure Host" == "Non Compromised Host". They have only indicated transmission "Secure Transmission to host" == "Non Compromised Transmission to host". What the host does with it, be it to send your data to some gulag in Siberia, to your bank for processing, or both is completely dependent on the remote host.

    12. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      And now you are back to talking about HTTPS "job 1" which I am not arguing against.
      The point of the analogy was to illustrate these ideas:
      a) HTTPS does "job 1" just fine, though the actual threat for most people in that area is low (at least in a relative sense),
      and b) HTTPS does not play a role in the area that is a larger actual threat -- on the server side.
      The ultimate point being that the push to require HTTPS for everything is a "priority inversion" and gives non-technical internet uses a false sense of security, at least the ones still not completely numb from security fatigue.
      Also I just really wanted to make a car analogy.

      --
      Strange things are afoot at the Circle-K.
    13. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      You and I understand these distinctions, but the effect for the non-technical user, who the browser makers have labored to shelter and make as ignorant as possible (i.e. hiding URLs, protocols, etc.), is HTTP = bad, HTTPS = good. No website will want to be "bad", so they will all move to HTTPS, which is really not "just a good thing anyway" for the internet or the environment, if you think about the immense volume of traffic to which it would add the inefficiencies of (in some cases another layer of) encryption.

      --
      Strange things are afoot at the Circle-K.
    14. Re:Thank you HTTPS zealots by Lije+Baley · · Score: 1

      While I kind of like the ring of being called "Jesus moron", you really should read threads carefully and from the top down. If you had you could have saved yourself a bunch of typing and excitement.

      --
      Strange things are afoot at the Circle-K.
  9. I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

    "Paying electronically is safer, Rick, you shouldn't use cash for anything, you'll just get mugged!", they said. "It's all secured with encrytion, nothing to worry about!", they said

    What's next, you going to tell me the Equifax breach was 'fake news' and never happened?

    "Oh, well, I don't buy things from Newegg so I feel perfectly safe!", they say to you

    Seriously, folks, when is enough going to be enough for you all? It's objectively clear that electronic payment systems, regardless of whose they are, are not anything even close to secure. Leave the plastic at home (or at least leave it in your wallet), pay cash for things in person, and look for some way to at least limit your exposure to the overwhelming risk of paying electronically for anything, anywhere, ever. Do it starting TODAY. Plan on doing it for a long time to come, because these mentally challenged primates who run these systems apparently can't keep all the holes plugged.

    1. Re:I'm laughing so hard my sides ache by plague911 · · Score: 1

      Nonsense. Cutting yourself off from the civilized world is not a solution. The time/cost efficient solution is use something like credit karma and a credit card with fraud protection. Check your bill every month or two and you are fine. Sure your data may get stolen every few years, but the credit card company will eat the cost and you'll be fine.

    2. Re:I'm laughing so hard my sides ache by nitehawk214 · · Score: 1

      And we can take our horse-and-buggy down to the open air market to buy all of our locally produced goods.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    3. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      He thinks I've 'cut myself off from the civilized world'
      You're hilarious; what are you smoking to actually think that? I've been on cash for TWO YEARS and it hasn't 'cut me off' from ANYTHING. Get real and stop trading your actual security for mere 'convenience' and maybe your identity won't get stolen and bank accounts drained.

    4. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      My bank doesn't do any of that, so I'll just continue using cash like I have for the past 2 years and NGAF about any of that until the rest of the world gets it's head out of it's collective ass and starts giving a damn about actual data security when it comes to people's money and private data -- which means I'll be paying cash until I drop dead of old age. Nobody really cares so long as they're making money themselves. We're just peons/plebians, The Rich DGAF about what happens to us or our worthless little lives, their shit is all secured and protected to the Nth degree, so why should they care? Guess I have to take control of the situation where it concerns me -- which is exactly what I've been doing. Also has the nice side-benefit of making balancing my checkbook take all of 5 minutes every month, and I never have to worry about a bunch of receipts in my wallet to enter into the spreadsheet. Guess the rest of the sheep can continue with their 'conveniences' and the cumulative risk of having their banking information stolen every time they do, and when their bank accounts are drained, credit cards charged to the max, and identity stolen, they'll go cry to Congress about it -- who will do precisely dick, because (as outlined above) they DGAF, their shit is already secure, why should they care about us? Corporations and profits, not citizens' lives.

    5. Re:I'm laughing so hard my sides ache by Bruinwar · · Score: 1

      Good for you, use cash. I've considered returning to cash only a few times. However, I do get protections from my CC company that I've used before. Plus that 4-5% cash back. & damn I got 80000 frequent flier miles! I used 70000 miles on this year for a excellent vacation for my wife & I.

      So go ahead, I actually admire those that are able to only shop local on a cash only basis. It's just not for me. I pay for my credit protection service (not fucking LifeLock), & will pay attention. Rent cars as needed & buy stuff online that I can't get locally.

      --
      SLOWER TRAFFIC KEEP RIGHT
    6. Re:I'm laughing so hard my sides ache by jwhyche · · Score: 2

      You have to forgive Rick. I'm not sure he understands how the modern economy works. Even Farmer Brown down at my local farmers market takes plastic. Just slides it through his iphone and we are good. I think he can take samsung and apple pay too.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    7. Re:I'm laughing so hard my sides ache by nitehawk214 · · Score: 1

      He thinks he can buy everything locally therefore only ever needing cash.

      I can use italics to strawman people's arguments, too.

      Though I am not sure you don't believe this. Real question: how do you buy something that isn't sold at a local brick and mortar store?

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    8. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      I don't pay for things on the internet. /thread

    9. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      Spoiler: I don't buy things on the internet anymore. :-)

    10. Re:I'm laughing so hard my sides ache by nitehawk214 · · Score: 1

      No, he is asking how you pay to get online in the first place. I suppose you could do prepaid phone cards from a store, but those get expensive if you are using them just for regular internet access.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    11. Re:I'm laughing so hard my sides ache by Howitzer86 · · Score: 1

      Can't. Where I live, that'd limit my tech purchases to Bestbuy and Walmart.

    12. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      None of this matters. Everyone else just says "LOL there's no other possible way so we'll just keep doing the same things we've been doing and hope nothing bad happens LOL" which is pants-on-head stupid, at least I'm doing something to protect myself that isn't some useless feel-good nonsense.

    13. Re:I'm laughing so hard my sides ache by nitehawk214 · · Score: 1

      Ok, nice attempt to change the subject, you didn't answer the question.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    14. Re:I'm laughing so hard my sides ache by Rick+Schumann · · Score: 1

      I pay CASH at payment stations for all my utilities and get a receipt. /subject

  10. What's to stop it from happening again? by mark-t · · Score: 4, Interesting

    The real breach is in that the attackers were somehow able to change the web page content to achieve this end. Do they know how the attackers accomplished this? If not, what's to stop it from reoccurring, even if not by the same people, when someone else figures it out?

    --
    File under 'M' for 'Manic ranting'
    1. Re:What's to stop it from happening again? by mark-t · · Score: 1

      Which itself is fine... there's no reason to disclose that information, but was it something they can mitigate, or is it only a matter of time before somebody else tries it?

      --
      File under 'M' for 'Manic ranting'
    2. Re:What's to stop it from happening again? by mark-t · · Score: 1

      That would only be applicable if they lacked the ability to prevent it. I was operating under the assumption that they did, and if that were the case, there would be no compelling reason to explain what was done to mitigate the problem from occurring in the future.

      --
      File under 'M' for 'Manic ranting'
    3. Re:What's to stop it from happening again? by antdude · · Score: 1

      I noticed their careers page had a lot of web hirings the last 1.5 years. I wonder if this was related.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  11. Re:Good thing newegg doesn't have anything by jellomizer · · Score: 1

    I really don't get the point of your post. New Egg sells computer and computer components. In today's economy a lot of it would be hard to find at a store, or you will need to buy it from a bunch of sources. Sure most of New Egg you can probably get at Amazon.
    Do you just hate everything. As you type AC Posts on a hand me down Pentium?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  12. Re:bad company, expected outcome. by jellomizer · · Score: 1

    This is what I read:
    New Egg they messed up on one of your order. You were a jerk to them, so they had stopped feeding your trolling.

    The phrase the Customer is Always Right, is just that a Phrase, not a rule. It isn't an excuse to be abusive to a company or an employee.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  13. Re:Use PayPal or similar. by azcoyote · · Score: 1

    I'm no authority, but as far as I can tell PayPal should be unaffected. It sounds like data was scooped off the front-end of the web site, i.e., from filling out the forms. But PayPal does not fill out forms; it sends data directly. So it should not be affected.

    I am guessing also that my card number was not stolen since I used a saved number, rather than entering it in. However, Newegg always has you retype the CVV code, so that was definitely stolen in my case.

    --
    Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
  14. Links to RiskIQ and Volexity reports by bosef1 · · Score: 3, Informative

    Here are the links to the original RiskIQ and Volexity reports on the breach.

    RiskIQ: https://www.riskiq.com/blog/la...

    Volexity: https://www.volexity.com/blog/...

    They're conclusion is basically to get a new credit card number if you transacted with Newegg from 13 Aug through 18 Sep 2018.

    1. Re:Links to RiskIQ and Volexity reports by locopuyo · · Score: 1

      Has newegg said how that code got on their site?

      --
      The Official Site of 1337 Pwnage
    2. Re:Links to RiskIQ and Volexity reports by xxxJonBoyxxx · · Score: 1

      Take a look at this analysis. It's for the similar attack on British Airways but it gives some more clues, such as corrupting a "standard, trusted 3rd party Javascript library" (like "modernizr"), and it also (through the path) suggests that there might be a vulnerable "CMS" on that machine (that could have let the hackers in).

      https://www.peerlyst.com/posts/inside-the-magecart-breach-of-british-airways-how-22-lines-of-code-claimed-380-000-victims-barrett-louie

  15. Newegg alternatives? by cptnapalm · · Score: 1

    Having just bought some things, I'm concerned, of course. Not to mention, newegg isn't remotely as good as they once were. Hell, I bought something on eBay and he shipped it two days faster and will get to me a week earlier than a similar order from newegg.

    What are some good alternatives, outside of eBay and Amazon?

    1. Re:Newegg alternatives? by mangastudent · · Score: 1

      I have yet to regret a B&H purchase, have been using them for video and camera stuff since the 1990s. Just got a used Tamron lens from them, exactly as described (their 8+). Am even thinking of buying some SD cards from them because I just don't trust Amazon for that sort of thing any more. Only oddity is that it's run by Hasidic Jews, so they shut down except for web browsing during the Sabbath, no problem if you're patient.

      Walmart.com has great control over their supply chain, they're really strict about that, although I'm sure they get taken every once in a while. Newegg still seems to be OK for me, as long as in a search I click them as the only retailer, as far as I know they aren't sharing their logistics system with their 3rd parties like Amazon does, and their multifactor search for computer components is still very good.

      Now that the CreateSpace/Kindle part of Amazon is banning books wholesale, they've solidly lowered themselves to the bottom of my list of general Internet vendors given their massive and very hard to avoid counterfeit/commingling issues.

  16. Masterpass by llZENll · · Score: 1

    What if I paid using masterpass?

  17. I remember Newegg... *sigh* by gosand · · Score: 1

    Many years ago (1998ish mabye?) I found out about Newegg and ordered a couple of sticks of RAM from them. They shipped me double what I ordered, and charged me for it. It was a nightmare to get my money refunded even AFTER I shipped back two sticks on my dime. It was such a bad experience that I swore I would never order from them again.

    Fast forward a few years and I decided to give them another chance, and wow had they changed! They were my gold-standard for internet shopping experience. Fast, often free, shipping, perfect amount of communication and tracking, best prices, feature-rich search options, and fantastic review system.

    Needless to say, I haven't bought anything from them for a few years now. It was caused by ordering something that I didn't realize was shipping directly from China. I still go to their site to find items and sometimes read the reviews, but I can now shop around once I find the item I want. Their reviews are still better than Amazon's, but Newegg just isn't close to what it used to be.

    --

    My beliefs do not require that you agree with them.

  18. Newegg press release? by wellard1981 · · Score: 2

    And when was Newegg going to inform their customers about this? Strange that we had to find out about this from a 3rd party news source. Does this only impact Newegg US, or other countries where Newegg does business affected too?

    1. Re:Newegg press release? by WoodstockJeff · · Score: 1

      NewEgg informed me via email before the story broke.

      It was the first time I'd purchased through NewEgg in a long time.

      An hour later, the information that may or may not have been stolen (I don't show net traffic to that domain) was invalid, so it's minimal impact to me.

  19. Re:bad company, expected outcome. by jwhyche · · Score: 3

    I've had newegg mess up a few of my orders. Every time they practically tripped all over themselves to make it right. I can complain about a few things from newegg, but my experience with their customer service isn't one of them.

    --
    I read at +2. If your post doesn't reach that level I will not see or respond to it.
  20. Re:bad company, expected outcome. by jellomizer · · Score: 1

    Why would it be considered Libel?
    I am not saying He is that or did that, I just interpreted his comment to have that meaning.

    I would be Libel if I would to say Don't sell stuff to this guy, because he is a bad customer.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  21. Re: bad company, expected outcome. by jellomizer · · Score: 1

    I havn't use New Egg in over a decade.
    But the Grandmother getting the kids the cheap ripoff is almost a trope.
    But hey I am going to keep my Genuine Cook-e-man cards, they are going to be worth so much in the future.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  22. Re:Use PayPal or similar. by Oswald+McWeany · · Score: 1

    I'm no authority, but as far as I can tell PayPal should be unaffected. It sounds like data was scooped off the front-end of the web site, i.e., from filling out the forms. But PayPal does not fill out forms; it sends data directly. So it should not be affected.

    I am guessing also that my card number was not stolen since I used a saved number, rather than entering it in. However, Newegg always has you retype the CVV code, so that was definitely stolen in my case.

    I always use paypal when I can- partially for this reason. I hate when sites won't take paypal.

    --
    "That's the way to do it" - Punch
  23. Re:Use PayPal or similar. by Anubis+IV · · Score: 1

    I'd actually suggest that the better way to handle payments is to reduce the value of the information transferred, namely, have the buyer's device generate a single-use token that can only be redeemed by the seller and can only be redeemed for the amount of the transaction(s). No credit card number that can be reused dozens of times. No PIN or security code. No home address. No name. Just a token that's useless once the transaction completes.

    Apple Pay and other systems already do this transparently whether you use them in-person or online, which is great, since it both limits the scope of the damage (the most you could even possibly be on the hook for is that one transaction) and prevents a number of attacks from being possible in the first place (e.g. even if someone managed to scrape the token, they couldn't do anything with it).

    There are still attacks that can be done against such systems, but most of them would revolve around replacing the seller's ID with your own in their system, thus redirecting the buyer's funds to your account. Doing so would reveal your hack immediately, however, since sellers tend to notice pretty quickly when they aren't getting paid.

    And, as I said, Apple Pay isn't the only one doing this. In much the same way that some of us have used services that provide throwaway e-mail addresses to sign up for sites, there are "credit card" services that provide single-use credit card numbers that are only authorized for the amount of a given transaction. You can generate a one-off credit card number about as easily as you might fill in your password for a site from a password manager. They still have your other information attached, but they're a step in the right direction.

  24. Taking advantage of all the CRAP by WoodstockJeff · · Score: 1

    Big companies and small companies alike are addicted to WEBSTATS. It's hard to find a page out there that doesn't have 14 bits of Javascript code dedicated to giving better, targeted advertising and "customer service experience", so people would hardly be suspicious of code that sends information to "neweggstats.com".

    There are HSTS headers that can be put on HTTPS pages to make sure the browser doesn't fall for this sort of thing, but using them tells the browser not to talk to those precious stat servers... so the stat-addicts won't.

    1. Re:Taking advantage of all the CRAP by txsable · · Score: 1

      One of us is misunderstanding what HSTS is for. From my reading, it appears that this helps mitigate man-in-the-middle protocol downgrade attacks and cookie hijacking, but it would not do a thing to prevent a browser from accessing a third-party or spoofed site with a valid certificate. Am I misunderstanding this?